Vulnerability Analysis in Web Application using Burp Scanner

Hello friends! Today we are going to use Burp Suite Scanner which is use for website security testing to identify certain vulnerability inside it. It is the first phase for web penetration testing for every security tester.

Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Target: www.testphp.vulnweb.com

Lets Start with burp proxy in order to intercept request between browser and website. From screenshot you can perceive that we have forwarded the intercepted data for “an active scan”.

Note: Always configure your browser proxy while making use of burp suite to intercept the request.

Through a window alert it will ask to confirm your action for active scan; press YES to begin the active scan on targeted website.

Issue Activity

The issue activity tab contains a sequential record of the Scanner’s activity in finding new issues and updating existing issues. This is useful for various purposes:

An index number for the item, reflecting the order in which items were added.

The time that the activity occurred.

The action that was performed.

The issue type.

The host and URL path for the issue.

The insertion point for the issue, where applicable.

The severity and confidence of the issue.

From screenshot you can observe that it highlighted 8 types of issues found inside website from scanning result as following:

Cross-site scripting (reflected)

Flash cross-domain policy

SQL injection

Unencrypted communications

Cross-domain Referer leakage

Email addresses disclosed

Frameable response (potential Clickjacking)

Path-relative style sheet import

Active Scan Queue

Active scanning typically involves sending large numbers of requests to the server for each base request that is scanned, and this can be a time consuming process. When you send requests for active scanning, these are added to the active scan queue, in which they are processed in turn.

An index number for the item, reflecting the order in which items were added.

The destination protocol, host and URL.

The current status of the item, including percentage complete.

The number of scan issues identified for the item.

The number of requests made while scanning the item.

The number of network errors

The number of insertion pointscreated for the item.

The start and end times of the item’s scanning.

One by one we are going to demonstrate these vulnerabilities in details using request and response.

Advisory on Cross-site scripting (reflected)

It gave your brief detail of vulnerability and idea to exploit it.

Issue:

Cross-site scripting (reflected)

Severity:

High

Confidence:

Certain

Host:

http://testphp.vulnweb.com

Path:

/listproducts.php

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload was submitted in the cat parameter. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.

Inside request tab we will get Inject payload with intercepted data in order to receive certain response of generated request. In given image you can observe that it has injected JavaScript inside URL with Cat parameter

As response we can see the injected payload get submitted inside database. Now it will generate an alert prompt on screen when get executed on website.

Let’s verify it manually on running website.

Execute following script inside URL with cat parameter As result you will receive prompt 1 as alert window.

Advisory on SQL injection

Similarly test for other vulnerability

Issue:

SQL injection

Severity:

High

Confidence:

Firm

Host:

http://testphp.vulnweb.com

Path:

/listproducts.php

The cat parameter appears to be vulnerable to SQL injection attacks. The payload ‘ was submitted in the cat parameter, and a database error message was returned. You should review the contents of the error message, and the application’s handling of other input, to confirm whether vulnerability is present.

The database appears to be MySQL.

Under request tab single code (‘) will pass with cat parameter to break the SQL statement in order to receive database error as response.

Under response tab you can read the highlighted text which is clearly point towards SQL vulnerability inside database.

Advisory on Flash cross-domain policy

Issue:

Flash cross-domain policy

Severity:

High

Confidence:

Certain

Host:

http://testphp.vulnweb.com

Path:

/crossdomain.xml

The application publishes a Flash cross-domain policy which allows access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Similarly as above it has generated the request through GET method using crossdomain.xml

It has receive successful response over its GET request , inside highlighted text you can read it has allow to access this site from any domain with any port number and security is set as False.

In this way we can see how the burp suite scanner tests the security loop holes in a website.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Share this:

Like this:

LikeLoading...

ABOUT THE AUTHOR

Raj Chandel

Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry